Attacks based on power analysis have been long existing and studied, with some recent works focused on data exfiltration from victim systems without using conventional communications (e.g., WiFi). Nonetheless, prior works typically rely on intrusive direct power measurement, either by implanting meters in the power outlet or tapping into the power cable, thus jeopardizing the stealthiness of attacks. In this paper, we propose NoDE (Noise for Data Exfiltration), a new system for stealthy data exfiltration from enterprise desktop computers. Specifically, NoDE achieves data exfiltration over a building’s power network by exploiting high-frequency voltage ripples (i.e., switching noises) generated by power factor correction circuits built into today’s computers. Located at a distance and even from a different room, the receiver can non-intrusively measure the voltage of a power outlet to capture the high-frequency switching noises for online information decoding without supervised training/learning. To evaluate NoDE, we run experiments on seven different computers from top vendors and using top-brand power supply units. Our results show that for a single transmitter, NoDE achieves a rate of up to 28.48 bits/second with a distance of 90 feet (27.4 meters) without the line of sight, demonstrating a practically stealthy threat. Based on the orthogonality of switching noise frequencies of different computers, we also demonstrate simultaneous data exfiltration from four computers using only one receiver. Finally, we present a few possible defenses, such as installing noise filters, and discuss their limitations.

KEYWORDS
Covert channel, data exfiltration, power analysis, switching noise

1 INTRODUCTION
The total number of registered malware samples has grown by 36% in the past year and reached an all-time high of 690 million, let alone the huge number of undiscovered malware [59]. Importantly, more than 70% of the malware threats are in the form of phishing, spywares, and Trojans that aim at stealing sensitive information, especially from end users in companies, universities, among others (which we collectively refer to as enterprise) [70].

In the wake of growing risks of data theft, a proactive defense is to keep sensitive data within an enterprise network at all times. Nonetheless, this approach is vulnerable to various types of covert channel attacks, through which sensitive data is stealthily transferred to a program that can access external networks and eventually send information to the outside [11, 50, 69]. For example, one program’s usage pattern of CPU resources, if detected by another program, can be modulated for information transfer between the two [50, 57]. Consequently, to mitigate data theft risks, enterprise users commonly have restricted access to outside networks — all data transfer from and to the outside is tightly scrutinized.

Nevertheless, such systems may still suffer from data exfiltration attacks that bypass the conventional communications protocols (e.g., WiFi) by transforming the affected computer into a transmitter and establishing a covert channel. For example, the transmitting computer can modulate the intensity of the generated acoustic noise by varying its cooling fan or hard disk spinning speed to carry 1/0 bit information (e.g., a high fan noise represents “1” and “0” otherwise), while a nearby receiver with a microphone can hear the noise and decode the carried bits [8, 32, 34, 38]. Likewise, the power consumption [35, 73], the amount of generated heat [31], the electromagnetic interference (EMI) [29, 30], the system status LEDs [37, 55], and magnetic signal (to escape a Faraday cage) [36, 58] can all be modulated in a similar manner for data exfiltration.

Our contribution. We contribute to the existing body of research by designing a new data exfiltration system, called NoDE (Noise for Data Exfiltration), where a malware modulates the victim computer’s power consumption to send data over a building’s power network to the attacker’s receiver. The key novelty is that NoDE uniquely exploits high-frequency voltage ripples (i.e., electronic switching noises) generated by power factor correction (PFC) circuits built into today’s power supply units for power-consuming devices like computers. Like the existing data exfiltration attacks (Table 3), NoDE exhibits several desirable properties: a reasonable achievable bit rate (28.48 bits/s), good effective distance (27.4 meters), and no line-of-sight requirement. Additionally, based on an in-depth investigation of how PFC-induced switching noises relate to a computer’s power consumption, NoDE adds the following two distinguishing features to the literature.

• Indirect power measurement. NoDE uses indirect power measurement that does not require any tampering of the building’s power network and hence is more stealthy. Here, being indirect means that the target computer’s current does not directly flow through the attacker’s sensing device at the receiver; instead, the receiver only measures voltage signals containing PFC-induced switching noises which we find are correlated with the target computer’s power/current. Nonetheless, the existing power-based data exfiltration attacks rely on direct power measurement and hence are less stealthy [23, 35, 73]: a power meter is directly connected to the outlet or a sensing apparatus is placed along the cable directly powering the target device.

• Simultaneous data exfiltration. We identify the (approximate) orthogonality nature of PFC-induced switching noises in practice,
thus allowing simultaneous data exfiltration from multiple computers to a single receiver without much interference. Thus, if multiple computers within the same power network are infected, only a single receiver is needed to exfiltrate data from these computers in parallel. This results in a higher overall exfiltration rate due to the multiple parallel data streams.

More concretely, we focus on an enterprise environment, with the goal of stealthy data exfiltration from a desktop computer. Note that, we do not target military-grade systems that have sophisticated and expensive defense against information leakages (e.g., TEMPEST [26]). We first observe that the amplitude information of a computer’s electric current, and hence the power consumption, is contained in the voltage at any other power outlet connected to the same building’s power network.

In practice, however, it is very challenging to directly extract the current amplitude of the target computer from the voltage measurement, which consists of a blend of current amplitude information of all the devices within the same power network (Section 4.1). This is further compounded by the power grid’s random voltage fluctuations which can be several order-of-magnitude larger than the voltage variation caused by current amplitude variations.

We find that all desktop computers today are mandated to have built-in power PFC circuits in their power supply units to reduce harmonics [18, 43, 64]. Importantly, these PFC circuits result in prominent high-frequency current ripples between 40kHz and 150kHz [64], whose amplitude changes with the computer’s power consumption — the higher power consumption, the taller ripples, and vice-versa. These high-frequency current ripples also produce high-frequency voltage ripples at other power outlets, which are referred to as switching noises. Thus, by properly filtering the received voltage signals at a power outlet, switching noises can be retained and the receiver is able to successfully extract information about the transmitter’s modulated current amplitude. Further, the switching noise frequencies are typically different for different computers and hence are not subject to much interference. This orthogonality of switching noises allows simultaneous data exfiltration attacks from multiple computers by a single receiver.

We present an end-to-end design of NoDE. Like any normal programs, NoDE only uses the transmitter’s CPU resource without any special privilege (e.g., Kernel access). Any device with data storage, such as a laptop and a cellphone, as well as an added analog-to-digital converter (ADC, to digitize the voltage signals) plugged into a power outlet can be used as a receiver. Moreover, NoDE does not require an offline training or calibration using supervised classification algorithms.

To demonstrate the practical applicability of NoDE, we run experiments on seven computers with different configurations and vendors in four different labs/offices in two separate buildings. We also achieve successful exfiltration even when four computers send data simultaneously to a single receiver. We show that NoDE achieves successful data exfiltration with an effective rate of up to 28.48 bits/second, which is reasonably high compared to many existing covert channels [28, 29, 73]. More importantly, the receiver can be located in a different room approximately 90 feet (27.4 meters) away from the transmitter. Finally, we also present a set of possible defense mechanisms, such as installing noise filters, and discuss their limitations.

2 FEATURES OF NODE AND PRELIMINARIES

In this section, we first discuss NoDE’s distinguishing features and advantages under its own subclass of power analysis-based side/covert channel attacks. Then, we provide a note on the current PFC design in power electronics.

2.1 Power Analysis-based Attacks

NoDE falls under the power analysis-based attacks, and we identify the key differences of NoDE from the existing works. With power usage information of the victim, prior studies have achieved secret key extraction from smart cards and mobile devices [6, 23, 56], anomaly detection in embedded systems [14, 54, 66], tracking websites [13, 79], among others. Besides the orthogonal context and objective, our work stands apart from the prior studies in the following key aspects.

Power measurement. A prominent assumption made by many existing attacks is that the target system’s power consumption (or current) can be directly measured [13, 79]. Nonetheless, this can only be accomplished if the sensing apparatus is placed directly inside the target system or at the nearest power outlet (indicated by Fig. 1(a) and Q in Fig. 1(b)). Moreover, the way that the transmitter’s current is measured (e.g., measuring current at Q in Fig. 1(b)) [35] results in a very low bit rate because of strong interference from other computers and/or devices.

By sharp contrast, NoDE can collect voltage signals from any outlet within the same power network as the transmitter, and identifies and focuses on a unique frequency band for each transmitter, thus achieving stealthy data exfiltration (even simultaneously from multiple transmitters).

Offline training. The studies on side channel attacks using power analysis are prolific, e.g., recognizing TV content out of voltage signal measurement from a nearby outlet [19] and identifying human gestures using body-induced electric signals [15]. Nonetheless, these studies typically apply supervised machine learning models and need to extract a set of features from the collected power signals and compare them against a set of pre-recorded patterns for recognition. Thus, offline model training on the target system under a controlled environment is required. Clearly, this is not feasible in our context for stealthy reasons.

Our design is fundamentally different and does not need to match received signals against pre-trained patterns, which can significantly differ from runtime conditions. Instead, to receive new information from the target computer on the fly, NoDE adapts its 1/0 bit decision threshold and filter’s passband based on a small pre-determined pilot sequence on a frame-by-frame basis.

Simultaneous transmission using orthogonal signals. In addition to the intrusive nature, direct power measurement requires dedicated power meters (i.e., receivers) for each target computer. Placing a power meter at a higher level in the power network (e.g., at Q in Fig. 1(b)) to capture multiple transmitters does not work as the current signals from the transmitters as well as other equipment are superimposed in the readings and hard to distinguish. While NoDE also collects a mix of signals from all equipment, it can still separate each transmitted signal in the high frequency (10kHz~150kHz) using the insight that PFC circuits generate orthogonal high-frequency switching noises (Fig. 12).
While some side channel attacks directly look at the current amplitude [13, 79], the study [20] considers a wide frequency band (e.g., 1~60kHz) of collected voltage signals. Thus, when other appliances or multiple victims are present, strong interference can be produced. For example, the attack is demonstrated on only one TV in a home or small lab with a relatively clean power network [20]. By contrast, for each transmitter, we precisely extract the frequency feature over a proper narrow band (e.g., 60Hz) without strong interference from other devices, thus achieving simultaneous data exfiltration from multiple transmitters in a large lab with about 30 active computers (Section 6.2.2).

NoDE also differs from [44] which utilizes a wider frequency band (i.e., 1kHz or more) and estimates a data center-wide aggregated power consumption over a much lower time resolution (i.e., once every minute) for load injection attacks. Whereas, NoDE is specifically designed to detect individual power consumption at a time resolution of milliseconds.

2.2 NoDE and TEMPEST
Electromagnetic emission has long been known as a major source of information leakage [41]. Notably, the eavesdropping on electromagnetic radiation (EMR) of communication equipment in the early-mid 1900s leads to the development of, to date partially classified, defense technologies code-named TEMPEST [26]. The recently declassified TEMPEST defense imposes stringent restrictions on electromagnetic radiation from computer systems both over the air and through power lines [26]. However, TEMPEST defense, shielding equipment and/or Faraday caging, is very expensive and mainly used in military application. For example, NATO countries spend billions of dollar of their defense budget each year for TEMPEST shielding [1]. While the defense requirement is outlined, the technology for TEMPEST attacks still remains classified. There is skepticism on the feasibility of TEMPEST attacks [26, 40], not to mention the sophisticated sensing equipment necessary to carry out such an attack. Consequently, typical enterprise environments (e.g., companies), which are our target systems, may not necessarily adhere to the costly TEMPEST defense practices.

A relatively inexpensive alternative to TEMPEST using software, named Soft-TEMPEST is proposed in [48]. Soft-TEMPEST targets obsolete CRT monitors and mainly reduces the electromagnetic emission distance, whereas NoDE utilizes power networks for data exfiltration at a distance.

2.3 Power Electronics
It is well known in the field of power electronics that the high-frequency switching operation in PFC circuits produces voltage noises and is fundamental for improving the power factor of appliances [64, 80]. The existing research on PFC designs is primarily from the efficiency perspective, e.g., how to select the conduction mode and switching frequency to achieve the best energy efficiency of power supply units and meet regulation compliances [64]. In sharp contrast, there is much less understanding from the adversarial perspective: how can the PFC-induced switching noises be exploited as useful signals for stealthy data exfiltration attacks? NoDE fills the gap by performing an in-depth study of how the switching noise amplitude relates to a computer’s power consumption and uniquely transforming switching noises of a computer’s power supply unit into data-carrying signals for data exfiltration.

3 Threat Model
We consider a broadly-interpreted enterprise environment (such as company and university) which is a primary target for data theft [12, 77]. We focus on a desktop computer, because it is the predominant type of computer (especially for storing important data) and its built-in PFC circuit is suitable for information transfer (Section 4.3). For brevity, we also use ”transmitter” or ”computer” to denote the transmitting desktop computer.

Our threat model is illustrated in Fig. 2, including one or more transmitters and a receiver. Both the transmitters and receiver are connected to the same building’s power network. Note that, because typically there are filters between different buildings’ power networks, even dedicated PLC adapters cannot reliably communicate across different buildings [7].

Transmitter. A transmitter is a desktop computer infected by malware that intends to send sensitive information (e.g., password and financial information) to the outside without using any network or removable storage. Like in the existing literature on covert channels, our threat model builds upon the malware’s capability of obtaining sensitive information, and is not intended for sending large files due to rate limits. The malware can use the transmitter’s CPU like any normal programs, but no special privileges are assumed by NoDE. Importantly, while it leverages the building’s power network, NoDE does not need to intrusively install a new or use an existing dedicated PLC adapter in the target transmitter.
Receiver. The receiver can be any innocuous-looking device that is plugged into an outlet in the same building’s power network as the transmitter. The receiver needs an ADC for digitizing its received voltage, which is universally used by any signal-collecting digital systems (e.g., digital temperature sensor) and can be easily hidden inside a laptop/cellphone charger. Moreover, the receiver can be located in a distant room different than the transmitter. Thus, there is no prohibitive requirement for a receiver. Even though the building is solely occupied by a single enterprise, guests are typically still allowed to plug their laptops or cellphones into an outlet for charging.

Practicality of malware injection. While there are various ways that malware can get into a computer, we classify them into two categories — easy and hard — based on the level of difficulty and effort required for malware infection.

- Easy: We consider the malware injection “easy” when the target computer can take input from the outside through external media and/or networks. For example, the target computer can get infected with malware when it visits malicious webpages or is connected to an affected USB drive, during which malware can be implanted without being noticed. It is the predominant approach of malware injection for today’s enterprise environments [76]. Not to mention those malicious injection incidents affecting millions of Internet users every day [59, 70], a striking example of infecting a mission-critical system is that the malware Stuxnet infected Iran’s nuclear program through an infected USB drive [49, 51].

- Hard: We consider that the malware injection is “hard” when there is no easy approach to malware injection. For example, the target computer can be almost completely isolated from all external networks, which is also known as “air-gaping” [28]. In such a scenario, malware can still be injected by exploiting hardware/software backdoors throughout the supply chain. For example, it has been recently reported that some microchips were added to servers’ motherboards during the manufacturing process without the knowledge of a major server vendor [63]. In other instances, ShadowPad was implanted into a software program developed by a third-party vendor, affecting hundreds of large businesses [45], while malicious batteries [53] and other hardware Trojans [76] are all known threats to data security. An even more striking example is that over 100,000 computers that had never been connected to any network were also implanted with information-stealing hardware Trojans by using a classified technology [68].

A complete data exfiltration attack involves two major steps. The first step is to inject a malware program into the target computer and collect sensitive information. The second step is to establish a covert communication channel to send sensitive data to the receiver. Like the existing covert channel literature [28, 33, 35, 53], our work focuses on the step of establishing a covert communication channel. Thus, we can embed NoDE into an existing information-collecting malware. Concretely, we describe the procedure of integrating NoDE with malware created by the recently released malware toolkit L0rdix [2, 46] as follows. The L0rdix toolkit comes with a variety of pre-built and configurable functionalities. It can steal information from the victim system by collecting login information, browser cookies, and files matching pre-configured extensions. It can also monitor clipboard content to steal data matching predefined strings. L0rdix toolkit offers botnet capabilities such as opening a specific URL, execute commands, kill processes, upload and download files and run executable files. L0rdix also comes with USB infection, mining, detection prevention, anti-analysis, and anti-VM capabilities as well. In our context, we leverage the malware’s existing capabilities of system infiltration and information collection, and utilize its botnet functionality with our covert channel communication. We can either attach our code with L0rdix malware or configure L0rdix to download our program as malicious code. Other malware generators such as Senna Spy FTP, which spread as a Trojan bundled with free software, can also be used to secretly download the code of NoDE into an infected system [71, 75].

4 POWER NETWORK AS A COVERT CHANNEL

In this section, we present our covert channel residing in a building’s power network.

4.1 Overview of a Building’s Power Network

The utility power typically enters a building through a single point. Then, through a distribution box, power is split to different floors/rooms in parallel and finally to different power strips/outlets. For large buildings, a multi-level distribution hierarchy may be used. Further, the utility may provide three-phase power to buildings, and the three phases can be divided depending on functions (e.g., offices on one phase, and the central air conditioner on another) or physical topologies. For illustration, Fig. 3 provides a simplified example of a single-phase power network of a building, highlighting the parallel connection of different power outlets. The common source voltage \( V_S \) enters a distribution/panel box and reduces to \( V_C \) due to a voltage drop caused by the line resistance. Then, the voltage \( V_C \) is supplied to different rooms/outlets. We can write the receiver’s voltage signal \( V_r \) as

\[
V_r = V_C - I_r R_r = V_S - I_0 R - \sum_{n=1}^{N} I_n R - I_r(R + R_r),
\]

(1)

where \( R \) is the resistance of the common line from which all currents flow, and \( R_r \) is the resistance of the line directly supplying power to the receiver. Clearly, the receiver’s voltage signal \( V_r \) contains the transmitter’s current denoted by \( I_0 \) in Fig. 3, whose amplitude can be modulated by varying the CPU load to carry information (Section 5.1). Thus, if the receiver is able to extract \( I_0 R \) out of its signal \( V_r \), it can exfiltrate information from a computer through the power network.
4.2 Computer’s Power Supply Unit

We now look at the anatomy of a computer’s power supply unit and identify an important component — PFC circuit — which generates high-frequency current ripples that can be detected by the receiver.

4.2.1 A closer look at computer’s power supply unit. As shown in Fig. 4, a power supply unit based on the standard SMPS design draws 100–240V AC voltage from an outlet and then, after multiple stages, provides regulated 12V DC voltage to internal components such as CPU. Specifically, at the front end, there is an EMI filter to limit frequency components of greater than 150kHz both coming from and conducted back to the power network, in compliance with international regulations [17, 39]. Then, a rectifier converts the incoming AC voltage to a pulsating DC voltage (unipolar half-sine waves), followed by a PFC circuit which improves the power factor by regulating the input current waveform and making it resemble the entering voltage’s sine wave. Fig. 5(a) shows a snapshot of the current waveform drawn by our Dell computer with PFC. The PFC elevates the voltage to around 380V, which is stepped down and becomes 12V DC voltage for internal components.

Harmonic distortion is undesirable since it reduces the power factor and causes unwanted power losses in the power system [64]. Low-power devices with SMPS (switch mode power supply) are allowed to have a low power factor without PFC (see Fig. 22 in Appendix C.3 for the current waveform). Nonetheless, regardless of the actual power consumption, all devices with a power rating of 75W (applicable for desktop computers) must have PFC circuits for mitigating harmonics as mandated by international regulations [18, 43, 64]. Thus, a crucial point we highlight is that the PFC requirement for mitigating harmonics universally applies to all of today’s desktop computers.

4.2.2 Frequency spikes generated by PFC. As shown in Fig. 5(a), while improving power factor, the PFC circuit also produces high-frequency current ripples due to its working principle [64]. Specifically, the core of a PFC circuit is rapidly switching the incoming current between two modes — a rising mode where the current increases, and a falling mode where the current decreases. Through switching, the current drawn from the power outlet resembles a sine waveform following the voltage signal. The switching frequency is determined by a controller as well as the PFC components (e.g., inductor), and typically falls into the range of $40\text{kHz}$ to $150\text{kHz}$, which is not subject to EMI regulations that set limits on frequencies greater than $150\text{kHz}$ [17, 64].

There are three basic modes for PFC switching (a.k.a., conduction mode) as summarized in Table 4 in Appendix C.1. In practice, vendors may adopt proprietary designs using variants of the basic modes [64]. Naturally, the PFC’s switching operation results in high-frequency current ripples, thus generating a PSD (power spectrum density) spike around the switching frequency. Illustrative current waveforms and frequency analysis results are shown in Table 4. Note that when PFC is not used, there exist no such PSD spikes within $<40\text{kHz}$, $150\text{kHz}$> (see Fig. 22(b)).

Desktop computers’ power supply units all have a rated capacity of over 300W to accommodate extensibility. Thus, the continuous conduction mode (CCM) is most widely-used due to its low peak current. We show the current and its frequency analysis for our Dell computer in Fig. 5. It can be observed that with PFC, the harmonics are an order of magnitude smaller than the 60Hz component. Furthermore, the current waveform and frequency analysis match with those illustrative figures for CCM in Table 4 in Appendix C.1, clearly showing a prominent high-frequency PSD spike generated by the PFC circuit.

4.3 Extracting Transmitter’s Current based on PFC Switching Frequency

The receiver’s voltage signal in Eqn. (1) contains all the frequency components of the common source voltage and currents of all connected devices. That is, the high-frequency current ripples generated by PFC circuits affect voltage signals at any power outlet within the same power network, which are referred to as switching noise [64]. Consequently, if we filter out all but the transmitter’s high-frequency switching noises from the receiver’s voltage $V_r$, we are left with the transmitter’s switching noise around its PFC frequency and the switching noise amplitude is also highly correlated with the transmitter’s current $I_t$. This is achieved based on the (approximate) orthogonality of PFC’s switching noises.

Different computers typically have non-overlapping PFC switching frequencies. In fact, our experiment shows that even for computers with the same configuration and manufactured by the same vendor, different computers still have (slightly) different PFC switching frequencies due to manufacturing process variations and can simultaneously transmit data without much interference. Furthermore, the prominent PSD spikes between 40kHz and 150kHz do not interfere significantly with harmonics (predominantly less than 20kHz) generated by other devices. Therefore, in practice, the ripples in the
receiver’s voltage signal caused by the target transmitter’s switching noise do not suffer from significant interferences from other sources.

We empirically validate the feasibility of extracting the transmitter’s current amplitude information. Our experiment is conducted in a lab with 30+ computers, where the transmitter and receiver are plugged into two outlets located about 55 feet away from each other. The details of the setup are presented in Section 6.1. We vary the transmitting computer’s current by varying its CPU load because compared to components such as hard disk and memory chips, a computer’s CPU has a high dynamic power that can be easily adjusted by loading/unloading the CPU. Moreover, CPU is ubiquitously available in all computers and needed by any running program. As GPUs are power-consuming, a computer’s current can also be significantly varied in a similar fashion by using increasing the utilization of a dedicated GPU. Note, however, that a GPU is less ubiquitous compared to a CPU, especially in ordinary office environments. Thus, throughout our study, we will only utilize CPU to change a computer’s current for data exfiltration.

We show in Fig. 6(a) the transmitter’s CPU load and current amplitude, which match with each other quite well. Then, we perform a frequency analysis of the received voltage signal and show the result in Fig. 6(b). We see large frequency components between 40kHz and 80kHz (and sporadic higher-frequency spikes). These are mainly due to different computers’ PFC switching operations, and the components around 67.3kHz are caused by our transmitter. The temporal variation of the PSD spikes created by the transmitter is shown in the frequency spectrum in Fig. 6(c) where we can easily identify the transmitter’s high current periods. Next, we filter the collected voltage signal with a passband of $<67.28kHz, 67.34kHz>$ and show the filtered voltage signal in Fig. 6(d) where the filtered voltage signal resembles the current ripples (as shown in the zoom-in window). The filtered voltage amplitude is close to zero during the low current periods because the PSD spikes shifts away from the 60Hz passband.

In summary, we have demonstrated that, with a proper band-pass filter, the amplitude of the receiver’s filtered voltage signal can recover the transmitter’s modulated current amplitude and hence be exploited for demodulation.

Figure 7: Input current’s response to CPU load changes. Due to power supply unit’s internal control, the current does not change immediately after change in the CPU load.

5 THE DESIGN OF NODE

In this section, we present the design of NoDE. As shown in Fig. 8, NoDE includes both a transmitter (i.e., a desktop computer with implanted malware) and a receiver (i.e., any voltage-collecting device plugged into a power outlet).

### 5.1 Transmitter Design

Like in the prior literature on covert channels [28, 29, 73], NoDE focuses on the physical process of data exfiltration — converting 1/0 bits into current amplitudes and decoding it from a remote outlet. That is, the implanted malware already collects needed information (Section 3) and encodes it into 1/0 bit streams that are ready for data framing and modulation. Next, we address the key design issues.

#### 5.1.1 Choosing symbol rate

NoDE modulates the transmitter’s current amplitude by varying the CPU load based on 1/0 bit values. Thus, the achievable symbol rate crucially depends on how fast the current amplitude changes in response to the CPU load. While the CPU usage can be adjusted within a millisecond or even faster [60], the current drawn by a computer may not instantly follow (i.e., lags) the CPU usage. In our experiment with a Dell PowerEdge computer in Fig. 7(a) shows that the current takes about 20–30 milliseconds to reach the peak after jump in the CPU load at around 50 milliseconds. In addition, because of the feedback control adopted by a power supply unit, a sudden CPU load change can create a current inrush followed by a current dip. As shown in Fig. 7(b), the current also lags by around 30 milliseconds when the CPU load sharply changes from high to low.
Based on our experiment results, we choose 33ms as the default symbol duration. This means that, by modulating the transmitter’s current amplitude, the achievable symbol rate in NoDE is 30 symbols per second.

### Choosing modulation mode

For a fixed symbol rate, a higher bit rate can be achieved if each symbol carries more bits. Here, we run experiments to see how many bits can be successfully mapped into each symbol. \( 2^N \) discrete current/power levels are needed for \( N \) bits per symbol. For \( N = 2 \), we vary CPU loads at four levels (0%, 25%, 75% and 100%, representing “00”, “01”, “10” and “11”, respectively) and see how input current changes, given three different symbol lengths — 33ms, 66ms, and 100ms.

We show the results in Fig. 9 and see that when each symbol lasts 33ms, there is a mismatch between the CPU load (representing 2 digital bits) and the resulting current amplitude, thus clearly leading to a very high symbol error rate. As explained in Section 5.1.1, this mismatch is mainly due to the complex feedback control mechanisms and large capacitors inside a computer’s power supply unit. If the symbol length increases to 66ms, there is still insufficient time for the current amplitude to yield a steady response. The current amplitude correlates well with the CPU load when the symbol length increases to 100ms, but this means that the effective bit rate is only 20 bits/second, which is even lower than 30 bits/second achieved by a binary modulation with a symbol length of 33ms. With \( N > 2 \) bits per symbol, there is an even poorer correlation between the CPU load and input current, unless the symbol length is sufficiently large.

As a result, we choose binary modulation and use high and low currents to represent “1” and “0”, respectively. Concretely, we build upon the existing literature [34, 73] and design a simple current modulator as described in Algorithm 3 in Appendix D. The current modulator program takes 1/0 bit information as the input and runs some dummy calculations (e.g., generating random numbers) to load the CPU and change the computer’s input current.

#### Choosing the frame length

Like in many communications systems [25], NoDE groups 1/0 bit sequences into frames, each beginning with a pilot sequence (Section 5.1.4). As shown in Fig. 8, following the pilot symbols is the actual payload that contains uncoded bits or coded bits using error correction techniques.

In our context, the transmitter’s PFC switching frequency is unknown to the receiver and may vary over time, albeit slowly. Throughout each frame, however, the transmitter’s PFC switching frequency should remain relatively constant. As shown in the cumulative density function (CDF) and the frequency spectrum in Fig. 21, the PFC switching frequency does not vary by more than 50Hz within 5 seconds. On the other hand, for a good bit detection, the receiver’s frequency band for filtering voltage signals can be only 60Hz. Thus, we conservatively choose a frame length of 100 symbols, resulting in frame duration of 3.3 seconds.
with a moving window of variable size. The notion of

**Algorithm 1** Finding a Passband for Filtering Voltage Signals

1. Input: Voltage signal $V(t)$ of a pilot length, symbol length $T_b$, pilot sequence $B_p$, max window $F_{\text{max}}$ kHz, increment $F_{\text{inc}}$ kHz
2. for $lb = 20 \sim (150 - F_{\text{max}})$ kHz with increment $F_{\text{inc}}$ do
   3. for $ub = lb + F_{\text{inc}} \sim lb + F_{\text{max}}$ with increment $F_{\text{inc}}$ do
      4. $\tilde{V}(t)_{lb, ub} \leftarrow V(t)_{lb, ub}$ //filtering
      5. $E(t)_{lb, ub} \leftarrow \text{Envelop of } V(t)_{lb, ub}$
      6. Extract bits $B^*$ from $E(t)_{lb, ub}$ based on $T_b$
5. Error vector $\text{err}(t)_{lb, ub} \leftarrow B^* \text{ XOR } B_p$
8. end for
9. end for
10. if $\text{err}(t)_{lb, ub} == 0$ then //pilot sequence found
11. Return $<lb, ub>$
12. end if

5.2 Receiver Design

On the receiver side, NoDE calculates the average amplitude of filtered voltage signals for every bit length and compares it against a detection threshold for deciding a 1/0 bit value. There are three major steps: (1) finding a passband for the filter; (2) identifying the start of a data frame; and (3) demodulating the extracted signals into 1/0 data bits.

5.2.1 Finding the filter’s passband. In practice, the transmitter’s PFC switching frequency is unknown to the receiver. Based on a predetermined pilot sequence, we propose a scanning process to find a frequency passband for filtering received voltage signals and retaining the prominent PSD spikes generated by the transmitter. The scanning process is described in Algorithm 1, where two nested loops scan through the frequency bands from 20 kHz to 150 kHz with a moving window of variable size. The notion of $<lb, ub>$ means a band-pass filter with $lb$ and $ub$ being the lower and upper cutoff frequencies, respectively. When $<lb, ub>$ appears as a subscript, it means that a signal passes through a band-pass filter $<lb, ub>$.

In each inner loop, the amplitude/envelop of filtered voltage signal is extracted and then evenly sliced into bit-length pieces. Then, the average amplitude for each piece is used for deciding binary bit values. Specifically, we set the the mean of bit-wise average amplitudes of the filtered signal as the binary bit decision threshold: a bit-wise average amplitude higher than the threshold is decoded as “1”, and “0” otherwise. Then, by comparing the extracted bits with the pilot sequence, we return the passband that yields no errors for pilot detection.

As the PFC switching frequency does not vary significantly over time, we only need to scan through a wide frequency range (e.g., from 20kHz to 150kHz) once. After the initial scan, the receiver only needs to quickly fine tune its filter’s passband over a much narrower range (e.g., 500Hz around the previously-found passband, instead of 20kHz to 150kHz) to compensate for runtime switching frequency offsets. Moreover, provided that voltage signals are acquired and stored, bit extraction can be done offline, and hence the scanning complexity is not an issue. In fact, with $F_{\text{inc}} = 0.01$kHz, Algorithm 1 only takes less than 5 minutes in Matlab on a laptop.

5.2.2 Identifying the start of a frame. While the filter’s passband does not vary significantly due to the slow variation of PFC switching frequencies, the bit detection threshold depends on the non-controllable environment (e.g., other computers with similar PFC switching frequencies can cause interferences) and hence can change quickly at runtime. We propose a time-domain scanning process to identify the bit detection threshold and start of each data frame based on the predetermined pilot sequence. The scanning process is presented in Algorithm 2.

5.2.3 Extracting data bits. After identifying a pilot sequence, the receiver can extract actual payload bits using the bit detection threshold returned by Algorithm 2: if a bit-wise average amplitude of the filtered signal is higher than the threshold, then the corresponding payload bit is decided as “1”, and “0” otherwise.

6 EVALUATION

This section presents experiment results to validate the practical feasibility of NoDE, highlighting that NoDE achieves an effective rate of up to 28.48 bits/second to a receiver located in another room about 90 feet ($\approx 27.4$ meters) away.

6.1 Methodology

Experiment setup. As listed in Table 2, we test seven computers with different operating systems/configurations, including four recently purchased from two top vendors (Dell and Acer) which collectively account for more than 25% of the global PC market share [42], an iMac (27 inch), and two custom-built computers with top-brand power supply units (Corsair and EVGA). They all have CCM type PFC in their power supply units. Our collection of desktops is representative of commonly used models in our target case of modern enterprise office setup.

These computers are located in four different labs/offices in two different buildings (referred to as A and B, respectively). As our default location, Lab #1 in Building A is a large shared lab space housing about 30 students with 30+ active desktop computers, where the transmitter’s and receiver’s power outlets are approximately 55 feet away from each other. Thus, Lab #1 represents an environment with high power line noises. The layout of Lab #1 is illustrated in Fig. 10. In addition, we also run experiments in another two labs (#2 with about 10 students and #3 with about 15 students) in Building A. Our experiment setup in Building B is illustrated in Fig. 14, where
We use Matlab to perform frequency analysis and filters. In real-world implementation, the receiver may also use a digital signal processing chip to filter voltage signals and demodulate bit values in real time.

**Metrics.** We calculate the bit error rate (i.e., percentage of bit errors) and effective transmission rate measured in bits/second (i.e., actual payload bit rate, excluding pilot symbols and erroneous bits). We also list in Table 2 the distance between the transmitter’s and receivers’ power outlets.

### 6.2 Evaluation Results

We now present our evaluation results, highlighting that NoDE achieves stealthy data exfiltration from desktop computers. We first present a snapshot of data exfiltration using NoDE followed by the case where four transmitters are simultaneously sending data to a single receiver. We then evaluate NoDE under different background applications, different numbers of CPU cores used by NoDE, and different pilot lengths. We also test how the CPU states affect NoDE, and the effectiveness of NoDE in data exfiltration without a line of sight. Finally, we present results with computers from different manufacturers.

#### 6.2.1 A snapshot of data exfiltration

We show in Fig. 27 the different stages of NoDE for data exfiltration from our Dell Optiplex computer with 4 CPU cores. For clarity, we only show the first 50 bits in a data frame. At the top, we show the frame bits with the pilot sequence highlighted in a gray shade. The “X”s prior to the pilot sequence indicate “no data”. Also, the time index “0” indicates the start of the frame. We then show the transmitter’s current, which is modulated by varying the CPU load. We can see that the current amplitude changes with the transmitted bits.

Then, we show the receiver’s unfiltered voltage signal, which is affected by grid voltage variations as well as all other loads sharing the same power network and hence barely reveals any useful information. Next, we show the filtered voltage signal with a passband of \(<67.28\text{ kHz}, 67.34\text{ kHz}>\) identified by Algorithm 1. The envelope/amplitude of the filtered voltage signal is extracted, and then the average amplitude is used for bit detection. From the pilot sequence, we identify the frame’s starting point and set the bit detection threshold accordingly (Algorithm 2). The bit-wise average amplitudes are then demodulated into the received bits—an average amplitude above the detection threshold is considered as “1”, and “0” otherwise. In this experiment, the received bits perfectly match the transmitted bits without any errors, resulting an effective payload bit rate of 28.48 bits/second.

#### 6.2.2 Simultaneous transmissions

We simultaneously use multiple computers as transmitters to demonstrate that the PSD spikes from different computers do not interfere with each other. We conducted this experiment in Lab#1 using three Dell OptiPlex desktops with identical power supply units and one Dell XPS desktop with a different supply unit. Note that, while we use four computers as transmitters, there are other computers (30+) in the building that also generate switching noise spikes due to their PFC circuits.

Fig. 12 shows the frequency spectrum of the voltage signal from the receiver while the corresponding data frame extractions are shown in Appendix E.2. In the top figure, we show the frequency spectrum of the three transmitters with identical power supply units whose PSD spikes are close to each other (within the frequency

---

**Figure 10:** Experiment setup at Lab #1 in Building A.① Transmitter. ② Power strip. ③ ADC for voltage signal acquisition (oscilloscope in our experiments). ④ Laptop for voltage filtering and bit detection. ⑤ Receiver’s power outlet.
Figure 11: Dell Optiplex computer: A snapshot of data exfiltration. The receiver’s voltage signal is filtered with a passband of $<67.28kHz, 67.34kHz>$ and the bit-wise average amplitudes of filtered voltage signals reveal the transmitted bits.

Figure 12: Four transmitters (TX#1–4) simultaneously sending data to a single receiver. Bit error rates of TX#1, TX#2, TX#3, and TX#4 are 0.0%, 6.8%, 1.1%, and 0.0%, respectively. The higher bit error rate for TX#2 is due to the partial overlap with TX#1.

Table 1: Summary of Data Exfiltration from Dell Optiplex

<table>
<thead>
<tr>
<th>Scenario</th>
<th>Bit Error Rate</th>
<th>Bits Per Second</th>
<th>Detection Results</th>
</tr>
</thead>
<tbody>
<tr>
<td>Default (4 cores)</td>
<td>0.0%</td>
<td>28.48</td>
<td>Fig. 27</td>
</tr>
<tr>
<td>With YouTube streaming</td>
<td>2.3%</td>
<td>27.82</td>
<td>Fig. 28(a)</td>
</tr>
<tr>
<td>With MS Word running</td>
<td>0%</td>
<td>28.48</td>
<td>Fig. 28(b)</td>
</tr>
<tr>
<td>With web browsing</td>
<td>0%</td>
<td>28.48</td>
<td>Fig. 28(c)</td>
</tr>
<tr>
<td>With HDD file transfer</td>
<td>3.5%</td>
<td>27.48</td>
<td>Fig. 28(d)</td>
</tr>
<tr>
<td>With ML training</td>
<td>1.67%</td>
<td>28.00</td>
<td>Fig. 28(e)</td>
</tr>
<tr>
<td>Loading 1 CPU core</td>
<td>8.9%</td>
<td>25.94</td>
<td>Fig. 29(a)</td>
</tr>
<tr>
<td>Loading 2 CPU cores</td>
<td>2.5%</td>
<td>27.77</td>
<td>Fig. 29(b)</td>
</tr>
<tr>
<td>Loading 3 CPU cores</td>
<td>0.0%</td>
<td>28.48</td>
<td>Fig. 29(c)</td>
</tr>
<tr>
<td>Using 4-bit pilot sequence</td>
<td>3.3%</td>
<td>28.13</td>
<td>Fig. 30(a)</td>
</tr>
<tr>
<td>Using 8-bit pilot sequence</td>
<td>0.0%</td>
<td>27.88</td>
<td>Fig. 30(b)</td>
</tr>
</tbody>
</table>

It also reduces the difference between transmitted "0"s and "1"s, resulting in a 2.3% bit error rate. We also run experiments using MS Word, web browsing, file transfer, and machine learning training as background applications resulting in 0%, 0%, 3.5%, and 1.67% bit error rates, respectively. In the MS word experiment, we mimic user behavior by repeatedly opening a new file, typing a few lines of texts and then saving the file. For the web browsing experiment, we open new popular websites (e.g., GMail and Facebook), scroll through the page content, and follow links to other pages. For the file transfer experiment, we transfer a 5GB file from one HDD drive to another in our desktop computer running Windows 10. For the machine learning experiment, we repeat training Tensorflow in Python with 6000 samples from the MNIST data set taking around fives minutes to finish [52]. From the results from Table 1 we see that under a diverse set of background applications running simultaneously, NoDE still maintains a low bit error rate.

---

1Our test desktop does not have a dedicated GPU to offload video processing.
Second, we use CPU pinning to restrict the number of cores that are assigned to the modulation program in NoDE. Reducing number of cores increases the bit error rate because it limits how much the modulation program can vary the transmitter’s current. Nonetheless, we find that even by loading only one CPU core (the weakest transmission), NoDE achieves an effective rate of 25.94 bits/second. In Table 1 we omit the four core case which is our default case with 0% bit error rate.

Finally, we consider 4-bit (“1101”) and 8-bit (“11001010”) pilot sequences. We see that when using a 4-bit pilot sequence “1101”, the bit detection threshold may not be properly set due to lack of enough pilot symbols, but it has lower overhead than the 8-bit pilot and NoDE still achieves 28.13 bits/second.

6.2.4 Impact of CPU scaling on the transmitter. We tune the CPU scaling of the transmitter by changing the “maximum processor state” in the Windows power management system. We vary the maximum processor state from 10% to 100% which, in our test computer, corresponds to CPU frequency from 0.79 GHz to 3.68 GHz. We use the default settings and transmit 100 frames under each different CPU scaling and record the average power consumption of the transmitter using a WattsUp power meter. Figs. 13(a) and 13(b) show the bit error rates and power consumption for the different CPU scaling. Similar to our experiment with the number of cores for NoDE, we see a higher bit error rate when the transmitter consumes less power due to reduced CPU speed. Note that, While dynamic CPU scaling at runtime is supported by modern CPUs, it is more commonly applied in data centers with sophisticated power-performance control, where energy saving is a crucial concern. For typical enterprise environments, DVFS is not applied and instead, desktop computers commonly run at the high-performance mode (i.e., 100% maximum processor state, which is also the default setting in Windows 10).

6.2.5 Data exfiltration without line of sight. As shown in Fig. 14, we run an experiment in Building B where the transmitter and receiver are plugged into two outlets located in two different rooms which are approximately 90 feet away from each other. We use a Dell PowerEdge computer as the transmitter which, albeit using a different switching frequency, adopts same PFC design as our Dell Optiplex computer. We show a snapshot of extracted signals at the receiver in Fig. 33 in Appendix E.4. We see that, compared to

Fig. 27, the distinction between bit “1” and bit “0” in terms of the average amplitude of filtered voltage is less significant. Nonetheless, even with a transmitter-receiver distance of 90 feet and across different rooms, NoDE still achieves error-free stealthy data exfiltration with a rate of 28.48 bits/second.

6.2.6 Data exfiltration from other computers. To further evaluate NoDE, we run more experiments on four additional computers: an Apple iMac, an Acer, and two custom-built systems with third-party CPU cooling units (Corsair and EVGA). These computers are located in different labs in Building A. For the iMac, we could achieve a maximum of 15.79 bits/second due to the iMac’s slow response to power change and wider frequency signature (discussed further in Appendix E.6). We summarize our results in Table 2, while the details are presented in Appendices E.5 and E.6.

In summary, while certain conditions may degrade the effectiveness of NoDE, our experiments on different computers and under different settings confirm that NoDE can exploit a building’s power network as a covert channel for stealthy data exfiltration from desktop computers without using a conventional communication network.

6.3 Discussions

We now discuss NoDE from the following important aspects.

Comparison with PLC adapters. Without dedicated physical powerline communications (PLC) adapters, NoDE still achieves information transfer over power networks. This is due to the PFC’s capability of generating prominent high-frequency quasi-orthogonal switching noises. During our experiments, we have found that the amplitudes of PFC-induced switching spikes and high-frequency voltage signals (in MHz range) modulated by a PLC adapter (NETGEAR PowerLINE 1000) are in the same order of magnitude. Thus, in practice, the achievable transmission range of NoDE is expected to be similar to that of a PLC adapter (typically up to a few tens of meters) [7].

Missed frames and bits. In any covert channels [29, 35, 73], some frames may not be successfully received due to erroneous pilot and/or payload symbols, and the receiver is not able to notify the transmitter due to the unidirectional covert channel. To trade efficiency for reliability, the transmitter may send each data frame multiple times and/or apply error correction coding [25].

Higher bit rate and limit. Like in the existing power-based data exfiltration literature [35, 73], we empirically demonstrate the achievable bit rate of NoDE. Nonetheless, we provide conjectures
on two possible approaches to further improving the achievable bit rate for data exfiltration. First, we may possibly improve the achievable bit rate if privileged access to the target computer’s PFC is granted. Specifically, the PFC’s feedback gain may be altered to increase the responsiveness of the power supply unit, i.e., the power supply unit follows changes in the CPU utilization/power consumption more closely. This can be achievable since modern computer power supplies utilize digital control to adjust the feedback gain [64, 74]. Second, given privileged access to the computer’s power supply unit, another complementary approach is to modulate the PFC’s switching frequency for data exfiltration. The digitally-controlled PFC circuit allows dynamically setting the switching frequency. Moreover, frequency modulation requires wider bandwidth and hence can be susceptible to greater interferences from other devices/computers.

**Sources of bit errors.** Various factors can introduce bit errors during data exfiltration, including the source signal strength (affected by the amount of transmitter power consumption that can be modulated by the malware and the PFC design), signal propagation path and fading (affected by the relative location/distance of transmitter and receiver, line impedance, building’s power network topology), interferences from other devices with similar PFC switching frequencies, among others. While it is challenging, if not impossible, to theoretically quantify the impact of different factors on the resulting bit errors for a given transmitter-receiver pair, one can qualitatively conclude based on standard bit error analysis for additive white-Gaussian noise channels [25] that a lower bit error rate can be achieved by increasing the source signal strength, reducing the signal propagation fading, and/or mitigating interferences. These are also reflected by our above empirical results.

**Scalability of NoDE.** The scalability of the simultaneous exfiltration depends largely on whether or not switching noise spikes generated by different computers overlap with each other. Next, we discuss the following three different cases — orthogonal switching noises spikes, overlapping switching noise spikes, and practical scenarios.

- **When switching noise spikes of different computers are perfectly frequency-orthogonal.** In this case, data exfiltrations from different transmitting computers can be viewed as independent, with no significant inference from each other. If we conservatively assume that the switching noise spike of a computer occupies a frequency band of 500Hz (400Hz sidebands around the most prominent spike plus 100Hz guard band) and that the noise spikes of all transmitting computers are perfectly frequency-orthogonal, then NoDE can achieve simultaneous data exfiltrations from up to 200 computers over the frequency range of 50–150kHz, which is the range for typical switching frequencies of PFC circuits [64].

- **When switching noise spikes of different computers are overlapping in frequencies.** In this case, simultaneous data exfiltrations become challenging, as in the case of any communications systems [25]. Thus, different transmitting computers need to access the covert channel at different times. This is not restrictive, since a target computer may not always send data over our covert channel.

- **Practical scenario.** In practice, the likelihood of overlapping PFC-induced noise spikes is not very high because the switching frequency is not tightly regulated in the power supplies. Thus, under a scale of up to a few tens of computers, we expect that the switching noise spikes of some computers may partially overlap, while most noise spikes do not overlap (Fig. 12). If other background computers have overlapping switching noise spikes with a target computer, their switching noises can be viewed as quasi-static background noises and do not significantly affect data exfiltrations from the target computer. For example, on a single computer with simultaneous background applications, we show in Table 1 that NoDE still can successfully exfiltrate data.

To summarize, the likelihood of having overlapping PFC-induced noise spikes among two computers is not very high in practice, thus allowing simultaneous data exfiltrations. Nonetheless, when two or more target computers have the overlapping switching noise

### Table 2: Summary of Experiments on Seven Different Computers.

<table>
<thead>
<tr>
<th>Transmitting Computer</th>
<th>Configuration</th>
<th>Operating System</th>
<th>Power Supply Unit</th>
<th>Year</th>
<th>PFC Switching Frequency</th>
<th>Location</th>
<th>TX-RX Distance</th>
<th>Bit Error Rate</th>
<th>Bits Per Second</th>
<th>Detection Results</th>
</tr>
</thead>
<tbody>
<tr>
<td>Dell Optiplex 9020</td>
<td>Core i7-4790, 16 GB</td>
<td>Windows 10</td>
<td>Dell-L290EM-01 300W by Lite-on Tech. Co.</td>
<td>2015</td>
<td>~67.3 kHz</td>
<td>Lab #1</td>
<td>~55 feet</td>
<td>0.0%</td>
<td>20.18</td>
<td>Fig. 27</td>
</tr>
<tr>
<td>Dell PowerEdge R630</td>
<td>Dual Xeon E52640, 32GB</td>
<td>Ubuntu Server 14.04</td>
<td>Dell-E495SE-51 495W by Astek Intl.</td>
<td>2016</td>
<td>~65.8 kHz</td>
<td>Office</td>
<td>~90 feet</td>
<td>0.0%</td>
<td>20.18</td>
<td>Fig. 33</td>
</tr>
<tr>
<td>Dell XPS 8920</td>
<td>Core i7-7700, 16 GB</td>
<td>Windows 10</td>
<td>Dell-460AM-03 385W by Delta Electronics Inc.</td>
<td>2017</td>
<td>~60.1 kHz</td>
<td>Lab #1</td>
<td>~55 feet</td>
<td>0.0%</td>
<td>20.18</td>
<td>Fig. 31(d)</td>
</tr>
<tr>
<td>Acer G3-710</td>
<td>Core i7-7700, 16 GB</td>
<td>Ubuntu 16.04</td>
<td>ACER 750W</td>
<td>2016</td>
<td>~63.5 kHz</td>
<td>Lab #2</td>
<td>~20 feet</td>
<td>10.1%</td>
<td>25.60</td>
<td>Fig. 34(a)</td>
</tr>
<tr>
<td>Custom Built #1</td>
<td>Core i7-7700, 16GB</td>
<td>Windows 10</td>
<td>Corsair 850W RM850x-RPS0110</td>
<td>2018</td>
<td>~91.2 kHz</td>
<td>Lab #1</td>
<td>~55 feet</td>
<td>8.1%</td>
<td>26.17</td>
<td>Fig. 34(b)</td>
</tr>
<tr>
<td>Custom Built #2</td>
<td>Core i7-7700K, 16 GB</td>
<td>Ubuntu 16.04</td>
<td>EVGA 850W Supernova 850G2</td>
<td>2016</td>
<td>~67.7 kHz</td>
<td>Lab #3</td>
<td>~15 feet</td>
<td>9.2%</td>
<td>25.85</td>
<td>Fig. 34(c)</td>
</tr>
<tr>
<td>Apple iMac Model A1419 (27-inch)</td>
<td>Core i5-3470S, 8 GB</td>
<td>macOS 10.13.3</td>
<td>Apple 300W PA13112A1 (for 2012-2017 models)</td>
<td>2015</td>
<td>~101 kHz</td>
<td>Lab #1</td>
<td>~55 Feet</td>
<td>16% (50ms/sym)</td>
<td>15.79</td>
<td>Fig. 35</td>
</tr>
</tbody>
</table>
spikes, they need to transmit information at different times using NoDE.

7 DEFENSE MECHANISM

Three major approaches exist to defend against NoDE—eliminating PFC-induced switching noises, preventing the switching noises entering the power network, and suppressing malware activities. The first two approaches involve hardware implementation and/or modification, while the last approach can be implemented primarily in software.

7.1 Eliminating PFC-induced Switching Noises

Completely eliminating PFC noise would require re-designing of computers’ power supply units with fundamentally different PFC strategy. However, it is non-trivial to find alternative solutions to replace the existing mature designs of power supply units without compromising energy efficiency. Moreover, such a change will require an industry-wide upgrade which is not likely to occur anytime soon. Alternatively, a stricter EMI regulation can be imposed to include components less than 150kHz.

7.2 Preventing Switching Noise From Entering Power Networks

An intuitive defense against NoDE is to power a computer through a UPS instead of directly connecting it to a power outlet, and thereby restricting the PFC noise from entering the power network. In such a case, as shown in Fig.15(a), the UPS sits between the desktop power supply and the power outlet (i.e., power network). However, an UPS does not necessarily provide electrical isolation from the power network. Instead, it “bypasses” the utility power to its connected devices during normal operation. The UPS acts as an alternate power source when the power supplied through the utility is interrupted in the event of voltage drop or complete power losses. To illustrate this, we connect our Dell PowerEdge computer to a 600VA CyberPower UPS and conduct our data exfiltration experiment in Building B. As shown in Fig. 36, we have “zero” bit error, which matches our previous experiments without the UPS. Hence, an UPS-powered computer does not necessarily mean it is immune to the threat of NoDE, let alone the added UPS cost.

Another defense is to insert a power line noise filters between computers and power outlets, as shown in Fig. 15(b). The filters are commercially available to use together with household/office appliances for reducing interference and better facilitating power line communications. However, they mainly reduce the amplitude of appliance-generated noise entering the power network, without complete elimination. To demonstrate this, we run an experiment on our Dell PowerEdge computer plugged into a power line noise filter (X10 XPPF [78]) in Building B. The resulting received signal is shown in Fig. 37, from which we see that the signal amplitude of the PFC-induced switching noise spike is degraded by more than a factor of 10 compared to the case without any filters (Fig. 33). Thus, while not entirely prohibiting the transmitter’s switching noise spikes from entering the power network, the power line noise filter can significantly attenuate the amplitude of spikes, reducing the effective transmission distance.

7.3 Suppressing Malware Activities

As data exfiltration is done by varying the CPU load to modulate the transmitter’s overall power consumption, a possible defense is to randomly vary the CPU load to de-correlate the overall power consumption with information bits. In the prior literature, hardware-based techniques have been developed to randomize the power consumption and obfuscate the power signature of instructions executed in devices [3, 16, 27, 61]. While they are efficient in terms of the power overhead for randomization, such hardware-based techniques are typically tailored for devices with specific functions such as cryptography and not suitable for commodity processors. On the other hand, power randomization can also be achieved by software-based approaches.

Concretely, we evaluate software-based approaches for power randomization with two different implementations—RandomNoise and RandomPower. In RandomNoise, we design a program that launches CPU-intensive computations at random times to add random power consumption. In RandomPower, we follow the state-of-the-art technique to randomize the overall power consumption using a feedback loop [67]. As illustrated in Fig. 16, RandomPower samples the CPU power and uses combinations of CPU speed scaling (DVFS) and CPU-intensive computation to find-tune the power to follow the random pattern generator. The key difference between these two approaches is that RandomNoise mainly adds random power noise to the existing power consumption patterns, whereas RandomPower randomizes the overall power by more proactively controlling the CPU.

RandomNoise. We test NoDE’s performance under varying settings of RandomNoise’s time interval of added CPU loads, percent time of high CPU load, and the number of CPU cores used. Fig. 17(a) shows NoDE’s bit error rates as we increase the percent time of high CPU load from 10% to 90% for three different loading intervals (15/33/66 milliseconds). We see a general trend that, regardless of the interval length, an increasing percentage of CPU high load affects NoDE more. We also see that 15 milliseconds loading interval is worse than both 33 and 66 milliseconds intervals because it does not create a sustained high CPU load. On the other hand, we see from Fig. 17(b) that loading more CPU cores by RandomNoise also increases NoDE’s bit error rate.

RandomPower. We implement RandomPower in Ubuntu and use Intel RAPL interface for sampling the power [47, 65], cpufreq for DVFS [5], and repeated floating-point operations as CPU-intensive computation. While we implement RandomPower on Linux, software-based power monitoring and DVFS in other systems (e.g., Windows) are also available [5, 9, 10, 47]. In our experiment, the target power...
Different numbers of CPU cores (e.g., we show the power overhead under different cases in Fig. 19(a) works perfectly against NoDE where Φ

Random Noise's overhead, and we cannot even identify the pilot sequence to extract the transmitted bits.

Overhead. Both RandomNoise and RandomPower add overhead to the system to defend. Since RandomNoise injects random power noise, it results in additional power consumption by the computer. To have a detailed view of RandomNoise’s overhead, we show the power overhead under different cases in Fig. 19(a)

is determined by random numbers generated following a Gaussian distribution where we discard values smaller than 0 and greater than 1, resulting in a truncated Gaussian distribution. The values of 0 and 1 corresponding to 35W and 85W in our experiment, respectively. The mean and variance are user-set inputs to RandomPower, and the resulting probability density function can be expressed as

\[
f(x; \mu, \sigma) = \begin{cases} 
\frac{1}{\Phi(\mu, \sigma) \sigma \sqrt{2\pi}} e^{-\frac{(x-\mu)^2}{2\sigma^2}}, & \text{if } 0 \leq x \leq 1, \\
0, & \text{otherwise,}
\end{cases}
\]

with the 15-millisecond results as outliers. We calculate the power overhead by running RandomNoise without any transmission and subtracting the idle power (∼28W) from the average power consumption. The key message from Fig. 19(a) is that RandomNoise can significantly affect NoDE’s performance (>30% bit error rate) when it injects more than 20W of random power consumption. Nonetheless, in relation to the 28W idle power of our test computer, this amounts to a 70% overhead.

For RandomPower, we have both power overhead when CPU-intensive workloads are launched to increase the overall power, and performance overhead when CPU speed is throttled to reduce the overall power. To evaluate the power and performance overheads, we run RandomPower with four different applications — Machine learning training (ML), large file transfer in hard disk (IO), word processing (Word), and web browsing (Web). Figs. 19(b) and 19(c) show the change in power and performance overheads as we change the average power consumption target by changing the mean of the truncated Gaussian random distribution. We calculate the power overhead by subtracting the average power consumption without RandomPower from the average power consumption with RandomPower. For the performance overhead, we take the ML training and file transfer completion times with RandomPower and normalize the values with respect to those without RandomPower. We exclude Word and Web from the performance overhead evaluation since they do not have completion times like ML or IO applications. Note that during our experiments, we do not experience any significant perceivable impact of RandomPower on the performance of word processing and web browsing.

We see that the power overheads increase with increasing average power consumption. Also, RandomPower’s power overhead with perfect defense is lower than RandomNoise’s power overhead at higher bit error rates. More importantly, however, we see

Figure 16: The building blocks of RandomPower which defends against NoDE by randomizing the computer’s power consumption.

Figure 17: (a) and (b) Impact of RandomNoise on NoDE’s bit error rate for different settings.

Figure 18: Illustration of the power variation following the target random number with a 0.5 mean and 0.5 standard deviation.
that different applications have different power overheads for the same average power, with ML having a negative power overhead when the average power is less than 70W. This is due to each application’s power requirement. RandomPower running along an application with a low power requirement mostly adds power to follow its power target, whereas RandomNoise needs to apply CPU throttling more frequently to reduce power when the underlying application requires more power. This is also why ML has a negative power overhead, indicating that due to frequent throttling RandomPower has reduced the average power lower than the otherwise average power requirement of ML without RandomPower. From Fig. 19(c), it is also evident that frequent throttling at lower average power targets causes a higher performance overhead for the ML application. For the IO application, we do not see a significant performance variation since CPU throttling does not severely affect the file transfer speed. The key take-away from the results is that the overhead for RandomPower depends on the underlying application and, for power-hungry applications, reducing the power overhead comes at the expense of performance degradation. A favorable balance between power and performance overheads can be attained through careful choice of the random number distribution parameters (e.g., mean).

**RandomNoise vs RandomPower.** RandomPower is more effective against NoDE than RandomNoise, since RandomPower offers a perfect defense against NoDE and incurs a lower power overhead as well, especially for power-hungry background applications. However, RandomPower incurs possible performance overheads due to the CPU throttling. It may also require additional OS privileges and/or accesses for CPU throttling and instrumentation for power sampling.

In addition to the aforementioned pro-active countermeasures, a reactive defense approach would be to identify and remove data exfiltration malware by monitoring application behavior or computer CPU utilization. However, the constant emergence of new malware remains as, and will continue being, one of the greatest threats faced by computers [4, 59, 70, 72]. On the other hand, utilizing the knowledge of NoDE for data exfiltration, one can design a power network voltage monitoring system that continuously scans through the voltage signals for suspicious switching noise spike patterns in the high frequency. A potential drawback of this approach is the computational burden to continuously monitor a large frequency spectrum since PFC-induced switching noise is generated by every computer power supply unit.

In summary, we see that different countermeasures against NoDE have their own merits and hurdles. Based on our study, as a hardware-based defense, we recommend the installation of power noise filters because of its attenuation on PFC-induced switching noises. As for the software-based technique, we recommend power randomization due to its effectiveness.

## 8 RELATED WORK

There have been a plethora of studies on data exfiltration under a threat model where an adversary tries to extract information from a tightly secured computer system without using traditional data transfer protocols (e.g., network). The key idea is to encode information in physical attributes (e.g., the heat generated by a computer [31]) to carry it to an external receiver (e.g., temperature sensor). Meanwhile, decoding changes of these physical attributes does not require any cyber access to the target system, thus bypasses the system’s defense and forms covert channels for stealing information. Alternatively, a secure system may spill its secrets by inadvertently influencing an externally visible physical property (i.e., a side channel) [22–24].

Table 3 summarizes the physical medium, key design attributes, transmission rates, and effective distances of the recently proposed data exfiltration attacks. Compared to the existing research, NoDE achieves a reasonably high bit rate of 28.48 bits/s. Most acoustic covert/side channels cannot achieve a transfer rate higher than NoDE, except for [8] (140 bits/s) which requires the target to be equipped with a speaker and the receiver be in the same room as the target computer. [8] can reach up to 67,000 bits/s only in the audible range (20Hz–20kHz) at the expense of high detection possibility. On the other hand, both electromagnetic emanation and magnetic covert/side channel can achieve similar transfer rates as NoDE but have much shorter effective distances. [29] can reach a commendable speed of 1000 bits/s but requires professional-grade receiver hardware with a high sophistication.

Among all, optical covert channels attain the best transmission rates because of the extremely fast response time of LEDs. But, they require the receiver to be in the line of sight of the transmitter (e.g., be in the same room). Also, because of the high bit rates, photodiodes need to be used as the receiver, further restricting the
effective distance even within the line of sight. In contrast, NoDE can have the transmitter and receiver in two different rooms that are 27.4 meters away from each other without line of sight.

Another important aspect of NoDE is that unlike other studies which cannot achieve both their highest bit rate and longest distance for the same settings (i.e., increasing distance decreases bit rate), NoDE works at the 27.4 meters distance without compromising its rate of 28.48 bits/s at 0% bit error. While Table 3 is not an exhaustive list, it provides important insights into the potential and limitation of various physical covert/side channels-based data exfiltration attacks.

9 CONCLUDING REMARKS

In this paper, we studied data exfiltration from a desktop computer in an enterprise environment, and proposed NoDE to achieve stealthy information transfer over a building’s power network without using any PLC adapters. NoDE exploits high-frequency switching noises caused by the PFC circuits built into all of today’s computers and achieves an effective rate of 28.48 bits/second with a distance of 90 feet (27.4 meters) without line of sight. We validated NoDE’s data exfiltration capability under different settings and hardware configurations. We also showed that certain configurations such as CPU speed scaling may reduce NoDE’s data exfiltration rates. In addition, we offered some insights into the limitations and open issues of our proposed system. Finally, we outlined a few possible defenses and suggested both hardware-based and software-based techniques.

REFERENCES


APPENDIX

A RELATED NOTIONS

**Power spectrum/frequency spectrum:** Power spectrum disintegrates a signal into its frequency components and show the power of each frequency component. To illustrate the changes in happening in different frequency components of a signal, the power spectrum or frequency spectrum is typically shown over time with heat maps.

**Passband:** In signal processing, filters are applied on a signal to attenuate undesired frequency components while let pass the useful frequency components. The passband refers to the frequency range that a filter allows to pass through. The passband is identified using the lower and upper cutoff frequencies. When a filter allows a specific frequency band to pass, it is called a band-pass filter. When the passband starts at zero (i.e., lower cutoff = 0 Hz), it is called a low-pass filter. When the passband ends at infinity (i.e., upper cutoff = infinity Hz) it is called a high-pass filter.

**Harmonics:** Harmonics are frequency components at multiples of the fundamental frequency. In power system, harmonics are produced when the 50Hz/60Hz sinusoidal voltage or current gets distorted by non-linear loads (such as SMPS). Harmonics in the power system create unwanted losses in power transmission.

B VOLTAGE FROM A POWER OUTLET

We show in Fig. 20(a) a snapshot of the voltage trace collected from a power outlet in our lab. It can be seen that the supplied voltage varies by more than 500mV within just a few minutes. We further show the probability mass function (PMF) of a 24-hour voltage distribution in Fig. 20(b), demonstrating a nearly 5V variation in the actual supplied voltage.

C COMPUTER’S POWER SUPPLY UNIT

C.1 Conduction Modes for PFC

In Table 4, we show a summary of major conduction modes for PFC circuits used in today’s computers.

C.2 PFC Switching Frequency Variation

We show the cumulative density function (CDF) of our Dell Optiplex’s PFC switching frequency variation in Fig. 21(a). We see that the PFC switching frequency varies no more than 50Hz within 5 seconds. In Fig. 21(b), we also show the frequency spectrum over a 5 second window and confirm that there is only a small variation in the PFC switching frequency.

D ALGORITHM FOR CURRENT MODULATOR

We design a simple current modulator as described in Algorithm 3. The current modulator program takes 1/0 bit streams as the input and runs some dummy calculations (e.g., generating random numbers) to load the CPU and change the computer’s input current.

---

**Table 4: Summary of Major Conduction Modes for PFC [64]**

<table>
<thead>
<tr>
<th>Conduction Mode</th>
<th>Power Rating</th>
<th>Current Waveform</th>
<th>Frequency Analysis</th>
<th>Property</th>
</tr>
</thead>
<tbody>
<tr>
<td>Continuous Conduction Mode (CCM)</td>
<td>&gt;300W</td>
<td><img src="image" alt="CCM Waveform" /></td>
<td><img src="image" alt="CCM Frequency Analysis" /></td>
<td>- Fixed frequency - Large inductor - Lowest peak current</td>
</tr>
<tr>
<td>Discontinuous Conduction Mode (DCM)</td>
<td>&lt;300W</td>
<td><img src="image" alt="DCM Waveform" /></td>
<td><img src="image" alt="DCM Frequency Analysis" /></td>
<td>- High peak current - Reduced inductance - Good stability</td>
</tr>
<tr>
<td>Critical Conduction Mode (CrCM)</td>
<td>&lt;300W</td>
<td><img src="image" alt="CrCM Waveform" /></td>
<td><img src="image" alt="CrCM Frequency Analysis" /></td>
<td>- Varying frequencies - High peak current</td>
</tr>
</tbody>
</table>

**Figure 21: PFC switching frequency variation over time.**

**Figure 22: The current drawn by a Microsoft Surface Book contains a significant amount of harmonics.**
Algorithm 3 Current Modulator
1: Input: Bit stream $B$ and symbol duration $T$
2: for every bit $B_i$ do
3: if $B_i == 1$ then
4: Run dummy calculations for $T$ milliseconds
5: else
6: Idle for $T$ milliseconds
7: end if
8: end for

E DATA EXFILTRATION RESULTS

E.1 Experiment on Dell Optiplex Computer
NoDE with different background application. Now, we run experiments on our Dell Optiplex computer under settings different from the default one. First, to run a concurrent program to mimic user’s normal activity, we play “See You Again” on YouTube on a Google Chrome browser, which is one of the most viewed videos [62]. We also run experiments using MS Word, web browsing, file transfer, and machine learning training as background applications resulting in 0%, 0%, 3.5%, and 1.67% bit error rates, respectively. In the MS word experiment, we mimic user behavior by repeatedly opening a new file, typing a few lines of texts and then saving the file. For the web browsing experiment, we open new popular websites (e.g., GMail and Facebook), scroll through the page content, and follow links to other pages. For the file transfer experiment, we transfer a 5GB file from one HDD drive to another in our desktop computer running Windows 10. For the machine learning experiment, we repeat training Tensorflow in Python with 6000 samples from the MNIST data set taking around fives minutes to finish [52].

We show snapshots of the detections in Fig. 28.

NoDE with different number of CPU cores. Next, we restrict the number of cores that are assigned to the modulation program in NoDE, and show the experimental results in Fig. 29.

NoDE with different pilot lengths. Finally, we consider 4-bit (“1101”) and 8-bit (“11001010”) pilot sequences, and show the experiment results in Fig. 30.

E.2 Experiment Using Multiple Transmitters
Fig. 31 shows the snapshot of data exfiltration for different transmitters from our multi-transmitter experiment. Our results show 0% error for TX#1 and TX#4 while 6.8% and 1.1% error for TX#2 and TX#3, respectively.

E.3 Impact of CPU scaling on the transmitter
Snapshots of detection results for 10%, 50%, and 100% CPU states are shown in Fig. 32.

E.4 Experiment Without Line of Sight
Fig. 33 shows the snapshot of data exfiltration when the receiver and transmitters are placed in two separate rooms 90 feet away from each other in Building B.

F PMF OF NOISE IN EXTRACTED SIGNAL AMPLITUDES
We set the average signal amplitude of filtered voltage signals when transmitted bits are 1 as the reference signal amplitude for bit 1. When the transmitted bit is 1, any deviation of an actually received bit-wise signal amplitude from the reference value is considered
as noise. Similarly, we also obtain the reference signal amplitude for bit 0, and obtain the noise. Next, we show the PMF of noise for both Dell Optiplex and Dell PowerEdge computers in Fig. 24. The noise amplitude distribution does not seem to be Gaussian. In other words, our covert channel is likely corrupted by non-Gaussian noises.

![PMF of noise in extracted signal amplitudes.](image)

Figure 24: PMF of noise in extracted signal amplitudes.

### G Defense Mechanism Experiments

#### G.1 Experiment on a UPS-Powered Computer

We power our Dell PowerEdge computer through a CyberPower UPS, which is plugged into a power outlet in the transmitter’s room in Building B. In Fig. 36, we show that the receiver can still extract information without errors. Thus, an UPS-powered computer does not necessarily mean it is immune to the threat of NoDE, let alone its added UPS cost.

#### G.2 Experiment in the Presence of Noise Filters

We plug in noise filter (X10 XPPF) \cite{78} into a power outlet in the transmitter’s room in Building B, and then plug in the power cord of our PowerEdge computer into the noise filter. Although the intensity of high-frequency PSD spikes in the receiver’s voltage signal is reduced, it is still much higher than the power line background noise and detectable. In Fig. 37, we show that the receiver can have an effective rate of 25.57 bits/second. Although the transmission distance is reduced compared to the no-filter case, the receiver can still be located in another room without being restricted to the line of sight of the transmitter.

#### G.3 Random Power Load Defense

We test the performance of a defense program that that injects random power loads by randomly deciding to either run a CPU-intensive computation or remain idle. We test NoDE’s performance under varying settings of the defense program’s time interval of the CPU loads, percent time of high CPU load, and number of CPU cores used by the defense program. Figs. 38, 39, 40, and 41 shows the snapshot of detection results for some selected cases of interest, while Fig. 25 shows the power overhead for different settings. Fig. 26 shows the current drawn by the defense program with the CPU load 20% and 60% of the times.

![Power overhead for the defense program.](image)

Figure 25: Power overhead for the defense program. (a) Power overhead remains same for different CPU load intervals. (b) Impact of the number of cores utilized by the defense program.

![Current draw of the defense program running with random high CPU loads.](image)

Figure 26: Current draw of the defense program running with random high CPU loads. (a) 20% high CPU load. (b) 60% high CPU load.

### H Snapshots of all Detection Results
Figure 27: Different background applications.

(a) Youtube, bit error rate = 2.3%, bit rate = 27.82 bits/s
(b) MS Word, bit error rate = 0%, bit rate = 28.48 bits/s
(c) Web browser, bit error rate = 0%, bit rate = 28.48 bits/s
(d) File transfer, bit error rate = 3.5%, bit rate = 27.48 bits/s
(e) Machine learning, bit error rate = 1.67%, bit rate = 28 bits/s

Figure 28: Dell Optiplex computer with different numbers of CPU cores assigned to the modulation program in NoDE. The receiver filters its received voltage signals with passband of $<67.28\text{kHz}, 67.34\text{kHz}>$. 

Figure 28: Dell Optiplex computer with different numbers of CPU cores assigned to the modulation program in NoDE. The receiver filters its received voltage signals with passband of $<67.28\text{kHz}, 67.34\text{kHz}>$. 

(a) 1 core. 8.9% bit error rate, and 25.94 bits/second.
(b) 2 cores. 2.5% bit error rate, 27.77 bits/second.
(c) 3 cores. 0.0%, 28.48 bits/second.

Figure 28: Dell Optiplex computer with different numbers of CPU cores assigned to the modulation program in NoDE. The receiver filters its received voltage signals with passband of $<67.28\text{kHz}, 67.34\text{kHz}>$. 

Figure 28: Dell Optiplex computer with different numbers of CPU cores assigned to the modulation program in NoDE. The receiver filters its received voltage signals with passband of $<67.28\text{kHz}, 67.34\text{kHz}>$. 

(a) 1 core. 8.9% bit error rate, and 25.94 bits/second.
(b) 2 cores. 2.5% bit error rate, 27.77 bits/second.
(c) 3 cores. 0.0%, 28.48 bits/second.
Figure 29: Dell Optiplex computer with different pilot sequences. The receiver filters its received voltage signals with passband of \(<67.28kHz, 67.34kHz>\).

Figure 30: Snapshots of data exfiltration with multiple transmitters.

Figure 31: Dell Optiplex computer with different CPU's maximum power states.
Figure 32: Dell PowerEdge computer in Building B with no line of sight between the receiver and transmitter. The voltage signal is filtered with a passband of $<65.77\text{kHz}, 65.83\text{kHz}>$. 

(a) Acer

(b) Custom built #1

(c) Custom built #2

Figure 33: Data exfiltration from different computers.

(a) Symbol length = 50ms, bit error rate = 16%, and bit per second = 15.79

(b) Symbol length = 66ms, bit error rate = 8%, and bit per second = 13.1

(c) Symbol length = 100ms, bit error rate = 2%, and bit per second = 9.2

(d) Symbol length = 125ms, bit error rate = 0%, and bit per second = 7.52

Figure 34: Snapshots of data exfiltration with iMac computer for different bit durations.

Figure 35: Dell PowerEdge computer powered by a CyberPower UPS. The voltage signal is filtered with a passband of $<65.77\text{kHz}, 65.83\text{kHz}>$. The resulting bit error rate is 0.0% and the effective bit rate is 28.48 bits/second.
Figure 36: Dell PowerEdge computer with a power line noise filter plugged into the power outlet. The voltage signal is filtered with a passband of <65.78kHz, 65.84kHz>. The resulting bit error rate is 10.2% and the effective bit rate is 25.57 bits/second.

(a) Symbol length = 15 ms, high CPU load = 20% times, bit error rate = 0%
(b) Symbol length = 33 ms, high CPU load = 20% times, bit error rate = 0%
(c) Symbol length = 66 ms, high CPU load = 20% times, bit error rate = 0%

Figure 37: Impact CPU loading intervals with CPU loads 20% of the times..

(a) Symbol length = 15 ms, high CPU load = 60% times, bit error rate = 20%
(b) Symbol length = 33 ms, high CPU load = 60% times, bit error rate = 30%
(c) Symbol length = 66 ms, high CPU load = 60% times, bit error rate = 30%

Figure 38: Impact CPU loading intervals with CPU loads 60% of the times..
Figure 39: Impact of number of cores used by the defense program with CPU loads 20% of the times.

Figure 40: Impact of number of cores used by the defense program with CPU loads 60% of the times.